HIPAA and OIG Compliance: A Response to Security Breaches

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law created to protect sensitive patient health information (PHI) from being disseminated without the lawful consent of the patient. It consists of a privacy rule and a security rule. 

The Privacy Rule facilitates the flow of information across health systems in a safe, equitable, and just manner, such that the health and wellbeing of patients are rightfully promoted. This rule also stipulates the standards for addressing the use and disclosure of PHI, in addition to the formal means by which individuals have their privacy protected through a subset of standards related to sharing of a patients protected health information. The HIPAA Security Rule mandates that a covered entity employ technical, administrative, and physical safeguards for PHI.  

Despite the implementation of privacy and security standards, security breaches are increasing at an alarming rate. For example, in 2022, 249 breaches were reported to the Office for Civil Rights, but in 2023, 548 breaches were reported. Even more alarming is the number of people affected, 30.9 million in 2022 and 122 million in 2023.   

Risk Assessment: Taking Appropriate Action When HIPAA Violations Occur 

Upon the determination of a violation of HIPAA, the chief compliance officer, in conjunction with the compliance committee, should immediately conduct an investigation that includes a thorough risk assessment. According to the Office of the National Coordinator for Health Information and Technology, a breach of PHI is defined as the impermissible use or disclosure under the Privacy Rule, which compromises the security or privacy of PHI. However, through a thorough risk assessment, the healthcare covered entity may be able to prove that there is a low risk of the PHI having been compromised.  

Nonetheless, the moment that a breach is identified, the compliance officer must notify the Secretary of the Department of Health and Human Services (HHS) and then affected individuals. While it is not mandatory that all breaches be reported to the HHS Secretary, if the covered entity elects not to report a breach and the breach is later analyzed and determined that it needed reporting, this will result in the breach being categorized as “willful neglect.” This offense costs the covered entity a fine of $11,002 to $55,100. Sometimes, healthcare organizations preemptively decide not to report a breach prior to conducting a full investigation and risk assessment, and this results in a multitude of complex liabilities.  

According to the Office of the Inspector General (OIG), risk assessment is the process of identifying, analyzing, and responding to risk. The process of effectively conducting a comprehensive compliance risk assessment is predicated on the ability of the covered entity to extrapolate the potential risks from the internal and external sources. The compliance committee should have this be a joint venture that involves the audit, quality, and risk management functions so that the assessment is thorough and allows for a specialized structured to promote accuracy, precision, and efficiency. The decision to create a joint structure facilitates an ideology in which resources are prioritized and redundancy in the assessment is minimized, of which, moving swiftly with the risk assessment is of the utmost importance during a suspected breach because the organization only has 60 days to report the suspected breach to the HHS Secretary.  

When conducting the organizational risk assessment, the covered entity must prove that it analyzed and assessed at least four of the required elements for proving that the probability of a PHI data breach is low.  

The first element is the nature and extent of the PHI involved in the use or the disclosure, and this should also include the identifiers and subsequent likelihood that the PHI could be reidentified. If the healthcare organization follows the standardized method for the encryption of the data, this element can be readily met. By definition, encryption is a method of converting an original message of regular text into encoded text, and the component of the encryption that justifies its substantiation is the fact that the encryption is generated by a computer algorithm. Encrypted data has a favorably low chance of being utilized by an unintended user or organization because the encrypted data can only be accessed by a key, and this key is what allows for the data to be decrypted and converted into plain text.  

Covered entities that routinely handle PHI are required to employ a standardized form of encryption that aids in their compliance of maintaining a low-risk assessment score. Additionally, if they were to experience a data breach, they wouldn’t be legally obligated to report the breach because the legality that governs reporting of data breaches stipulates that encrypted PHI that was procured using a standardized encryption method doesn’t have to be reported if there is a breach.  

The second element of a methodical risk assessment method that must be addressed is the nature of the unauthorized person who used the PHI, or to whom it was disclosed to.  

The third element under discretion in the risk assessment method for data breaches stipulates that the organization under scrutiny must assess the likelihood that any of the suspected PHI was acquired or viewed.  

The last element of the risk assessment method that must be evaluated, according to HHS, is the extent to which the risk to the PHI has been mitigated. Data analytics can be a powerful tool to analyze the data associated with compliance risk areas. The utilization and analysis of data analytics and manipulation methods allows for the standardization of data metrics, which allows for the identification of outliers with the given data set. 

Moving Swiftly to Mitigate Breaches 

Two of the other important components from an organizational perspective as it pertains to data breaches is that the organization must mitigate and correct the effects of the breach. Some of the examples of mitigation include retrieving, deleting, and or destroying improperly used PHI. Other examples of mitigation strategies include terminating a user’s access or changing the password, completely wiping a device, and modifying policies or practices that govern the parameters of use of the data.  

A critical reason as to why healthcare entities need to move swiftly when investigating a potential breach is because they could avoid HIPAA penalties if they are able to correct the nature of the breach, and if it proves that it did not act with willful neglect. In further evaluating the application of OIG element 6 (conduct internal monitoring and auditing), the healthcare organization affected by the breach should also implement effective audit and monitoring tools to avoid similar or perceived sources of a breach in the future. The annual risk assessment can provide the compliance committee with the risks that should be audited on a scheduled basis. One of the key components to maintaining an optimally functioning compliance program is to periodically evaluate the efficacy of the compliance program. 

Employees who are involved in breaches could face undue criminal and/or monetary sanctions from their violation of HIPAA, which ranges in terms of the severity and type of penalty (civil vs. monetary). If HHS determines that the violation is a civil penalty, then it follows a tiered system such with the basis for the tiering predicated on whether the covered entity was aware that HIPAA rules had been violated.  

According to the HHS Office for Civil Rights (OCR), the following monetary penalties are affixed to the following tiers:  

• Tier 1 – Unknowing violation – $100 to $50,000 per violation (maximum $25,000) 
• Tier 2 – Reasonable cause – $1,000 to $50,000 per violation (maximum $100,000) 
• Tier 3 – Willful neglect (corrected) – $10,000 to $50,000 per violation (maximum $250,000) 
• Tier 4 – Willful neglect (not corrected) – $50,000 per violation (maximum $1.5 million)  

When the breach of the HIPAA violation involves criminal consideration, there is the potential for both monetary penalties and a jail sentence. According to the Department of Justice, the jail term depending on the tiered severity of the breach is as follows: 

1. A maximum one-year jail term for criminal HIPAA violations involving knowingly obtaining or using PHI. 

2. A maximum five-year jail term for collecting protected health information under false pretenses. 

3. A maximum 10-year jail term for knowingly breaching HIPAA rules to cause malicious harm, to gain a commercial advantage, or for personal gain. 

4. A mandatory two-year jail term for aggravated identity theft. 

Putting Policies in Place 

Irrespective of the breach under consideration, there should be an instantiated system for providing individualized and comprehensive continuing education for the employee who was responsible for the breach. One of the major requisite components by OCR is that it requires the institution to instill a corrective action plan for the employee to remediate their knowledge. Consequently, after a breach occurs and the organization conducts a risk assessment, the next steps that should follow is HIPAA retraining so that the employee and the organization can reeducate themselves on the subject matter content of the HIPAA violation and the process that they should have followed when handling sensitive PHI. The basis of the training should involve an emphasis on the importance of regulatory compliance and its application to the specific applicable HIPAA laws and workflows within the organization itself.  

It is imperative to structure the type of organizational sanction on the employee depending on the following areas of analysis that directly correlate to the infraction: Was the PHI disclosure intentional? Was the violation a single disclosure or a pattern of behavior pertaining to the disclosure? Did the offender expose information, or did they use someone’s PHI for a deliberate and conscious purpose? A theorized approach to sanctions that can directly be applied to common organizational infractions is the three-level HIPAA infraction rule.  

If an employee has committed an unintentional infraction for the first time where no PHI has been revealed to others, per 45CFR164.530(e)(1), the organization is to apply an appropriate sanction that fits the level of the breach. For example, in this case where the breach was unintentional, the organization could write a letter of reprimand to the employee, and it should notify them of the wrongdoing along with making them aware of the subsequent penalties and sanctions if they commit the same infraction and/or a variation of the infraction, which could result in a range of sanctions and penalties. If an employee commits another infraction or their first serious infraction in three years, then the employee can receive a written letter of reprimand and be placed on an organizational suspension from work for one week without pay. If the employee commits a third simple infraction or a second serious infraction in three years, they should face termination of employment, and if the breach is of substantial magnitude, it should be reported to OCR. 

Irrespective of one’s role in healthcare, it is integral to the promulgation of the highest quality of patient care that the organization strive to instill a code of ethics that directs the mission, vision, and values of the particular role within the intrinsic organization and the population that it serves. Within this ethical framework is following HIPAA and OIG in reporting and managing security breaches.  

Brandon Fusaro is education program coordinator in the Division of Oral & Maxillofacial Surgery and Dentistry at Massachusetts General Hospital in Boston, MA. He is also a graduate student seeking his Masters in Health Administration at the School of Professional Studies at Wake Forest University in Winston-Salem, NC. 

Joan M. Kiel, PhD, CHPS, is chairperson of University Healthcare Compliance and a professor in the Rangos School of Health Sciences at Duquesne University in Pittsburgh, PA, as well as an adjunct professor of practice at the School of Professional Studies at Wake Forest University.